CVE-2025-63419 is a medium-severity Cross Site Scripting (XSS) vulnerability affecting CrushFTP version 11.3.6_48, a web-based file transfer server. The vulnerability stems from the file-sharing feature where filenames are reflected into an email body field without any input sanitization or encoding. This lack of sanitization allows an attacker to inject malicious HTML or JavaScript code into the filename, which is then included in the email body sent to users. When the recipient opens the email or interacts with the affected interface, the injected script executes in their browser context. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that the attack can be performed remotely over the network without privileges, requires low attack complexity, no privileges, but does require user interaction. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact affects confidentiality and integrity but not availability. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly.

For European organizations, the impact of this XSS vulnerability in CrushFTP can be significant, especially for entities relying on this software for secure file sharing and transfer. Exploitation could lead to session hijacking, credential theft, or phishing attacks by injecting malicious scripts into emails or web interfaces. This could compromise sensitive data confidentiality and integrity, particularly in sectors handling personal data, intellectual property, or regulated information such as finance, healthcare, and government. The vulnerability could also damage organizational reputation and lead to regulatory non-compliance under GDPR if personal data is exposed or manipulated. Since the vulnerability requires user interaction, social engineering could be leveraged to increase exploitation success. The absence of patches increases the window of exposure, making proactive mitigation critical.

European organizations using CrushFTP 11.3.6_48 should immediately implement the following mitigations: 1) Disable or restrict the file-sharing feature that reflects filenames into email bodies until a patch is available. 2) Implement input validation and output encoding on all user-supplied data, especially filenames, to neutralize HTML and script content. 3) Employ email filtering solutions that detect and block suspicious HTML content or scripts in emails. 4) Educate users to be cautious with unexpected or unusual file-sharing emails and avoid clicking on suspicious links or content. 5) Monitor logs for unusual activity related to file sharing or email generation. 6) If possible, upgrade to a later, patched version of CrushFTP once available. 7) Consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this vulnerability. These steps go beyond generic advice by focusing on the specific vulnerable feature and attack vector.